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Data sharing code consultation 
Parliament & Government Affairs 
Information Commissioner's Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire 

SK9 5A 


By email only: datasharingcode@ico.org.uk 


Dear Sir or Madam 


We are writing to provide our feedback in connection with the ICO’s consultation on its updated data 
sharing code of practice. 


Sky welcomes the updated code of practice and the clarity it provides on how data protection law applies 
to data sharing. In particular, we consider that the separate lists of factors that a controller ought to 
consider when contemplating and reviewing their data sharing arrangements will be useful for businesses 
in managing their internal processes. 


We have outlined a small number of points below which we would seek to clarify in the context of the 
consultation. 


Page 21 of the code states that in the ICO's view, a DPIA may be required where a controller is “processing 
records where there is a risk of harm to individuals in the event of a data breach, such as whistleblowing or 
social care records”. Whilst we acknowledge that the two examples given in this extract relate to highly 
sensitive data, we consider that the phrase “risk of harm” might be read as suggesting that a DPIA is almost 
universally required; nearly any processing operation will present a risk of harm, albeit a risk that is often 
remote. We assume that this is not the ICO's intention, and that organisations would not be penalised for 
only carrying out DPIAs when there is a high risk to the rights and freedoms of individuals, in line with Article 
35 GDPR and the related guidance. 


We would also query some of the suggestions for inclusion in a data sharing agreement outlined on pages 
26-28. Firstly, the recommendation that the contract should include contact details for “other key members 
of staff’ in addition to the DPO would present a challenge in practice, as any communications to these 
individuals would be addressed through standard contract management routes and would be 
administratively difficult to manage in the case of leavers and joiners. Similarly, we think that the 
suggestion that the agreement should "also deal with the main practical problems that arise when sharing 
personal data” may be too prescriptive to allow for practical day-to-day management of data sharing 
arrangements, as this might present a need to frequently update and vary contracts as circumstances 
change. The same concern also applies in relation to the suggestion to have an appendix containing a 
summary of key legislative provisions, a model form for seeking consent, and a diagram showing how to 
decide whether to share data. 
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On pages 29 and 30, the code outlines that all the organisations involved in the sharing should check 
whether “all the organisations involved in the sharing are still applying the retention periods correctly” and “all 
the organisations involved in the sharing have attained and are maintaining an appropriate level of security”. 
To us, this wording currently reads as if each controller should evaluate the others (almost resembling a 
controller-processor relationship), when we assume the intention is instead for each party to monitor its 
own compliance. 


Page 34 of the code states that an organisation’s DPO “should be closely involved from the outset in any 
plans to enter into a data sharing arrangement’. Whilst we recognise that the code is aimed at a broad range 
of organisations and that this may be appropriate in some contexts, this wording does not fit businesses 
which have other teams and processes in place to advise on DP matters, either separately or additionally 
to the DPO. We acknowledge, of course, that a DPO must be aware of the organisation's data sharing 
arrangements, but we would suggest that this wording is amended to state that “it may be appropriate for 
the DPO to be closely involved”. 


If you would like us to clarify or expand on any of the points above, we are at your disposal to discuss 
further. 


Yours sincerely, 


Data Protection Team 


Sky Legal 


[] 
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